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Members: 

Ailsa Beaton (chair) Non-Executive Director 

Roger Barlow Independent Audit Committee 
member 

Jane McCall Non-Executive Director 

Attendees: 

ICO 

Paul Arnold Deputy CEO 

Louise Byers Head of Risk and Governance 

Elizabeth Denham Information Commissioner 

Heather Dove Head of Finance 


Internal Auditors 
Phil Keown Grant Thornton 
Paul Eckersley Grant Thornton 


External Auditors 


Matthew Atkinson NAO (by telephone) 

David Eagles BDO 

Mark Coleman BDO 

Secretariat 

Peter Bloomfield Senior Corporate Governance Manager 
Caroline Robinson Corporate Governance Officer 


1. Introductions and apologies 


1.1. Paul Keane NAO was unable to attend the meeting due 
to other commitments. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Matters arising from the previous meeting 
3.1; The minutes were confirmed as being accurate. 


3.2. Peter Bloomfield advised the committee that all of the 
actions from earlier meetings had been cleared, and provided 
an update on steps taken to promote staff behaviour 
documents such as the Staff Code. 


4. Commissioner’s update 


4.1. Elizabeth Denham highlighted the amount of work the 
ICO faced at present, in particular in respect of monitoring 
the progress of the Data Protection Bill through Parliament, 
guidance and tool-kit development, the new SME helpline and 
testing of the new data breach hotline. Jane McCall 
commented that feedback from other organisations she was 
involved with on ICO guidance and tools had been very 
positive. 


4.2. The new funding regime was expected to commence on 
25 May with the Statutory Instrument expected to be laid on 
20 February. Current notifications with the Commissioner had 
recently reached 500,000. Expected fee rates had been used 
to model ICO income over the next few years. This has been 
based on the assumption that there would be no increase in 
numbers of data controllers registering for prudency, though 
this will be kept under review. 


4.3. Elizabeth Denham advised the committee of progress in 
staffing and resourcing issues. The governance around 
decisions on pay was discussed with the need to be 
transparent about changes and the evidence for them, and 
the affordability of any changes going forward. In addition 
the Management Agreement with the DCMS would be 
changed to reflect the current position. 


4.4. It was confirmed that the Information Rights Strategic 
Plan was being reviewed for 2018/19 and pay changes had 
been factored into the draft 2018/19 budget. The presence of 
a three year plan and budget would support the statement in 
the Annual Report and Accounts that the ICO was a going 
concern. 


5. Risk and opportunity register 


5.1. Louise Byers talked through the main changes to the 
strategic risk and opportunity register. The biggest priority 
was the opportunity to develop the ICO’s culture alongside 


the changes in processes. Risks had also increased in the 
areas of producing GDPR guidance and in meeting 
stakeholder expectations. Recruitment and retention risks 
also remained a concern. 


5.2. In addition continuing uncertainty as the date for the UK 
leaving the EU gets closer and a lack of clarity over 
transitional arrangements has heightened the risk for the ICO 
in this area. 


5.3. Risks arising from the expected expansion of the office, 
including the practicalities or recruiting and inducting so 
many new staff were raised and discussed. 


. Finance 


December finance report 


6.1. Heather Dove explained that the ICO remained on track 
to spend to forecast at year end. There were areas of 
uncertainty, especially around legal costs, and expenditure in 
such areas was being closely monitored. 


6.2. Cash flow was also on track; there had been no drop in 
registrations and growth was about 7%. 


IFRS update 


6.3. Heather Dove provided a note on the introduction of 
new financial standards. The new standard on leases would 
apply to the ICO but not this financial year. 


Action point: Peter Bloomfield to put on the Audit 
Committee work programme an annual review of any 
accounting standards at the J anuary meeting. 


. Outstanding audit recommendations 


7.1: Peter Bloomfield introduced the register of outstanding 
audit recommendations. One recommendation had been 
added, one cleared and one remained outstanding. The 
outstanding recommendation related to consideration of 
whether or not the ICO would benefit from BS10008 on the 
evidential weight and legal admissibility of electronic 
information. 


7.2. The Audit Committee noted the need to ensure that 
dates agreed for the completion of audit recommendations 
were realistic. 


8. Internal audit 


Internal audit update 


8.1. Grant Thornton provided an update on progress against 
the internal audit plan. In respect of the expenses review the 
field work had been completed but management needed to 
consider the report further. It was noted that the review as it 
stood did demonstrate that the ICO was compliant with HMRC 
rules on expenses. 


8.2. Fieldwork on the Corporate Governance and Risk 
Management review had been completed and the review 
would come to management for comments soon. 


8.3. Planning was ongoing for the GDPR follow up review. 


8.4. Grant Thornton advised that they expected to be able to 
bring the outstanding reviews and a draft audit opinion to the 
April Audit Committee. 


Action point 2: Grant Thornton to bring the outstanding 
reviews to Audit Committee on 27 April along with a 
draft audit opinion for 2017/ 18. 


IT Procurement review 


8.5. Grant Thornton summarised the results of the IT 
procurement review. The recommendation, that the ICO 
include the need for performance metrics in contracts for 
services they are procuring, had been broadened to cover all 
procurements. Management expected the recommendation to 
be cleared in respect of IT procurements by the deadline of 
31 May. 


9. External audit 


9.1. BDO introduced the audit planning report for 2017/18. 
Audit risks were detailed in the areas of management 
override of controls, early terminations and implementation 
of the EU data protection reforms (GDPR). BDO noted that 
materiality had also increased. 


9.2. [Redacted] 


9.3. The expected net deficit position for 2018/19 had been 
discussed with management side and both auditors and 
management were working on explanatory wording for the 
Annual Report and Accounts. 


9.4. It was confirmed that the J une Audit Committee 
meeting provided the opportunity for the committee to 


provide their assurance to the Information Commissioner as 
Accounting Officer. 


9.5. Appendix seven of the report covered preventing and 
detecting fraud. The Committee was asked if it had any 
knowledge of any actual or suspected fraud. In response the 
Committee confirmed that it had none, and that it received 
quarterly reports on fraud, whistleblowing and security 
incidents. 


9.6. In respect of follow up on previous recommendations 
BDO confirmed that the only outstanding issue was the 
Management Agreement with the DCMS. 


10. Fraud, whistleblowing and security 


10.1. The report on fraud, whistleblowing and security 
incidents covering quarters two and three was presented to 
the committee. 


10.2. [Redacted] 


10.3. It was confirmed that Louise Byers would be the ICO’s 
data protection officer. 


10.4. Audit committee asked for more information to be 
included in the report on the scale of the incident, eg an 
incident involving a complainant would include figures on the 
total number of complainant transactions; to give the 
context. 


Action point 3: Peter Bloomfield to ensure the report 
provides context on the scale of any security incident 
in future. 


11, Any other urgent business 


11.1. The procurement of the internal audit function was 
discussed by the committee. 


11.2. The timing of the next committee meeting was to be 
reviewed. 


Action point 4: Peter Bloomfield to contact committee 
members and attendees to seek views on moving the 
next meeting forward. 


